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Abstract 

BEAR, LION and LIONESS are block ciphers presented by Biham and Anderson 
(1996), inspired by the famous Luby-Rackoff constructions of block ciphers from 
other cryptographic primitives (1988). The ciphers proposed by Biham and Ander- 
son are based on one stream cipher and one hash function. Good properties of the 
primitives ensure good properties of the block cipher. In particular, they are able to 
prove that their ciphers are immune to any efficient known-plaintext key-recovery 
attack that can use as input only one plaintext-ciphertext pair. Our contribution 
is showing that these ciphers are actually immune to any efficient known-plaintext 
key-recovery attack that can use as input any number of plaintext-ciphertext pairs. 
We are able to get this improvement by using slightly weaker hypotheses on the 
primitives. We also discuss the attack by Morin (1996). 
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Introduction 

In this paper we discuss three block ciphers, BEAR, LION and LIONESS, 
proposed in [AB96] by Anderson and Biham, whose construction depends on 
one stream cipher and one hash function. These block ciphers are inspired by 
[LR88] and present a three-round (for BEAR and LION) or four-round (for 
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LIONESS) Feistel construction. In particular, we treat the provable security 
shown by them and provide some improvements. 

In Section 1 we give some preliminaries, recalling in particular BEAR's 
construction (Subsection 1.1) with the results by Anderson and Biham, Th. 1.1 
and Th. 1.2, that ensure the non-existence of efficient attacks (of a very specific 
kind) on BEAR if at least one of the two primitives is robust. In this section 
we also recall LION's construction (Subsection 1.2) and their claimed results 
on LION, Th. 1.6 and Th. 1.8, on the non-existence of similar attacks. We 
provide our proof for them, with slightly weaker hypotheses. This preliminary 
section is concluded by a description of LIONESS (Subsection 1.3). 
In Section 2 we give our results on BEAR, LION and LIONESS, that show 
the non-existence of some more general attacks. We also introduce two slight 
variations, BEAR2 and LI0N2, of BEAR and LION, respectively. We identify 
the hypotheses on the primitives that we need, in particular highlighting the 
relation between key and hash function in the keyed hash function. In Sub- 
section 2.1 we provide Th. 2.4 that improves Th. 1.2, and Th. 2.7 on BEAR2, 
that improves Th. 1.1. In Subsection 2.2 we provide Th. 2.9 that improves 
Th. 1.6, and Th. 2.10 on LI0N2, that extends and improves Th. 1.8. Finally, 
in Subsection 2.3 we extend our results to LIONESS in Th. 2.13 and Th. 2.14. 
In Section 3, we discuss our results and draw our conclusions. We also put in 
context the attack to BEAR and LION by Morin ([Mor96]). 

1 Preliminciries 

We use F to denote F2 and typically when a capital J? or a capital L 
appear, they mean elements of F*^' and F' respectively, with r > I. The en- 
crypted/decrypted messages are of kind {Li,Ri) G F'^''. The key space is 
denoted by fC. Usually the key K = {Ki,K2) is composed of two subkeys, 
each of length greater than so JC — W'^ x F'^, k >l. 

In this paper we consider oracles able to recover the key using as input 
only a set of known plaintexts/ciphertexts. We call "single-pair" any oracle so 
strong as to need only one pair and "multi-pair" any other. 

1.1 Preliminaries on BEAR 

The description of BEAR encryption/decryption is based on a keyed hash 
function Hk and a stream cipher S with the following properties. 

(1) The keyed hash function Hk{M) 

(a) is based on an unkeyed hash function H'{M), in which we append 
and/or prepend the key to the message; 

(b) is one-way and coUision-free, i.e. it is hard given Y to find X such that 
H'{X) = Y, and to find unequal X and Y such that H'{X) = H'{Yy, 

(c) is pseudo-random, in that even given H'{X.j) for any set of inputs, it 
is hard to predict any bit of H'{Y) for a new input Y . 
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(2) The stream cipher S{M): 

(0) is pseudo-random (this condition is assumed but not hsted in [AB96]); 

(a) resists key recovery attacks, in that it is hard to find the seed X given 

Y = Six); 

(b) resists expansion attacks, in that it is hard to expand any partial 

stream of Y. 

Wc note that conditions (l)-c and (2)-0 ensure respectively that Hk and S 
are pseudo-random, in order to obtain security against some distinguishing 
attacks in a rather theoretical model ([LR88] and [Luc96]). 

We recall the BEAR encryption/decryption scheme (here k > I). 



ENCRYPTION 


DECRYPTION 


L^L + Hk,{R) 
R'^R + S(L) 
L'^L + HK,iR') 


L^L' + Hk,{R') 
R^R' + S(L) 
L^L + HK,iR) 



In [AB96] Anderson and Biham claim the following results on one-pair oracles. 

Theorem 1.1 (Th. 1 of [AB96]). An oracle which finds the key of BEAR, 
given one plaintext/ ciphertext pair, can efficiently and with high probability 
find the seed M of the stream cipher S for any output Y = S{M). 

Theorem 1.2 (Th. 2 of [AB96]). An oracle which finds the key of BEAR, 
given one plaintext/ ciphertext pair, can efficiently and with high probability 
find preimages and collisions of the hash function H . 

Remark 1.3. We observe that while proving Th. 1.1 and Th. 1.2 they only- 
need the following assumption on H: 

for most i?'s the map ^ F', H^{K) = Hk{R), is surjective. 

This assumption is implied by the pseudo-randomness of the unkeyed hash 
function H' (and the bigger dimension of the key space), but it is not equivalent 
to it. Indeed, it is easy to construct even linear functions satisfying it. 
On the other hand, no hypothesis on the stream cipher S is used. 
Remark 1.4. The word efficiently in Th. 1.1 and Th. 1.2 might be confus- 
ing. The oracle could need huge resources to work. A trivial example is given 
by a brute force search of all keys. What Biham and Anderson mean is that 
the attacker will need little computational effort in addition to any effort 
done by the oracle itself, whatever large. 

As a direct consequence of Th. 1.1 and Th. 1.2 we have: 

Corollary 1.5. If it is impossible to find efficiently the seed of S or it is 
impossible to find efficiently preimages and collisions of H, then no efficient 
(key-recovery) single-pair attack exists for BEAR. 
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1.2 Preliminaries on LION 

LION is quite similar to BEAR except that it uses the stream cipher twice 
and the hash function only once. For LION, K, — W^K 
The requests are: 

(1) The hash function H(M): 

(b) is one-way and collision-free, i.e. it is hard given Y to find X such that 
H'{X) = y, and to find unequal X and Y such that H'{X) = H'{Yy, 

(2) The stream cipher S(M): 
(0) is pseudo-random, 

(a) resists key recovery attacks, in that it is hard to find the seed X given 

Y = Six); 

(b) resists expansion attacks, in that it is hard to expand any partial 
stream of Y. 

We note that Anderson and Biham here dropped l-(a) and l-(c). 
We recall the LION encryption/decryption scheme (here k = I). 



ENCRYPTION 


DECRYPTION 


R = R + S{L + Ki) 

L' = L + H(R) 

R' ^R + S{L' + K2) 


R = R' + S{L' + K2) 
L = L' + H(R) 
R^R + S(L + Ki) 



Results similar to Theorem 1.1 and Theorem 1.2 are claimed also for LION 
but without proof nor precise statement. They write the security reduction of 

LION proceeds similarly to that of BEAR; an oracle which yields the key of 
LION will break both its components.. Unfortunately, we have not been able 
to write down direct adaptions of the previous proofs, especially because here 
the property of if as in Remark 1.3 cannot be used and we do not see how 
one could get something similar for the stream cipher. Therefore, we now state 
precisely their claims, giving the weakest hypotheses we can exhibit. 

Theorem 1.6. Assume nothing on H and S , except that they are set functions 
H : W ^ P and S : P ^ An oracle Ai which finds the key of LION, 
given one plaintext/ cipherteod, pair, can efficiently and with high probability 
find the seed M of the stream cipher S for any particular output Y — S{M) . 

Proof. Let us choose a random input (L, R). Let Ki — M -\- L. Then S{L-\- 
Ki) = Y. We can compute R^ R + Y, L' ^ L + H(R + Y) and, by choosing 
any K2, R' = R + Y + S{L' + K2). Then we give in input to the oracle the pair 
{ {L,R), {L',R') } and Ai returns {Ki,K2), so we can immediately compute 
M = L + Ki. □ 
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To prove a similar theorem for the hash function, we need the following 
definition. 

Definition 1.7. Let H and S he functions, : -> F' and S : ¥^ ^ ¥\ 
with r > I. We say that {S,H) is a good pairing if for a random Y E W- we 
have H-\Y)nlm{S) 7^ 0. 

We note that if at least one between H or S is pseudo-random, then {S, H) 
is a good pairing. However, we might have a good pairing even if none of the 
primitives is pseudo-random. 

We are ready for our interpretation of their claim on the link between the 
security of LION and of the hash function. 

Theorem 1.8. Assume that {S,H) is a good pairing. An oracle Ai which 
finds the key of LION, given one plaintext/ ciphertext pair, can efficiently and 
with high probability find preimages and collisions of the hash function H. 

Proof. Since r > I we can choose R ^ Im(S') with probability and 
calculate H{R) = F e F^ We can suppose H~^(Y) fl Im(S') 7^ (else we can 
choose another R) and so there is an X e H~^{Y) n lm(5'). We consider as 
plaintext {L,0) , where L is any element of F' and e F^. There exists Ki 
such that R = S{L + Ki) = X, because X G Im(^). Thus L' = L + H(R) = 
L + H{X) =L + Y, because X e H-\Y). It follows that for = ^ + ^' + ^ 
we have R' = X + S{L' + K2) = X + X = 0. Wc give to Ai as input the 



pair < (L, 0), (L + y, 0) \ and it returns [Ki,K2), so we can compute easily 



X = S{L + Ki), finding a collision H{R) = H{X) = Y. Note that R ^ X, 
since R ^ Im(5') and X G Im(5'). 

To find a preimage, argue as above but with an arbitrary y G F'. □ 

The same considerations as in Remark 1.4 hold and a corollary analogous 
to Cor. 1.5 holds. 



1.3 Preliminaries on LIONESS 

The third block cipher proposed in [AB96] is LIONESS, which consists of 
four rounds and uses four independent keys, Ki, G F^, K2, K4 G F*^, so 
IC = P xF'' xP X ¥'', for some k. 

Anderson and Biham do not give explicit statements on LIONESS 's secu- 
rity, but it is obvious from its construction that any provable-security result 
for LION and/or BEAR directly extends to LIONESS, because any oracle at- 
tacking LIONESS will be able to attack LION and BEAR, with possibly even 
less effort. 
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LIONESS 



ENCRYPTION 


DECRYPTION 


R = R + S{L + Ki) 

L = L + Hk,(R) 
R' ^R + S(L + Ks) 

L'^L + Hk,{R') 


l = l' + HkAR') 

R = R' + S{L + K:i) 
L^L + Hk,(R) 
R^R + S{L + Ki) 



For completeness, we can state the following obvious corollary. 

Corollary 1.9. Assume nothing on H and S, except that they are set func- 
tions H -.W and S -.W^ ^ W and that for most R 's the map : W'^ i— )■ 
F', H^{K) = Hk{R), is surjective. Then an oracle Ai which finds the key of 
LIONESS, given one plaintext/ ciphertext pair, can efficiently and with high 
probability both find the seed of S and find preimages/ collisions of H. 

2 Our improvements 

We propose a property for the keyed hash function, Hk, able to ensure the 
security from any key-recovery attack that uses plaintext/ciphertext pairs. 

Definition 2.1. Given a keyed hash function % = { Hk Ixgf*:' : F*" 

for any K E ¥^ , we say that H is key-resistant if, given a pair {Z, R) such 

that Z — Hk{R) for a random K and a random R, then it is hard to find K. 

Let us consider a keyed hash function "H of kind = H'{f{K,R)) for 
some injective function /. For practical purposes we want also that (i^, R) is 
easy to find from f{K, R). In [AB96] / can be a concatenation, but we do not 
need to be so restrictive. Let K and R be random and consider the equation: 

Z = H'{f{K,R)) = HK{R) (1) 

We note that l-(b) for H' implies that (1) cannot be solved knowing Z. On the 
other hand, the key-resistance of T-L means that (1) cannot be solved knowing 
Z and R. It may seem that there is a logical link between the two conditions, 
but generally speaking there is none, as we are going to show: 

• Suppose that l-(b) does not hold. From K and R we get Z. Then we 
can solve Z = H'{X). However, Z can have many preimages (2''"^ on 
average), and so X is likely to be outside Im(/). The knowledge of R 
cannot help here, except in discarding unwanted preimages. Only if l-(b) 
fails badly, that is, if we can get efficiently all preimages of Z, then we 
will be able to solve (1) by discarding all preimages except that of the 
desired form {K,R). 
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• Suppose that T-L is not key- resistant. If Z does not come from Im(/) 
then there is no way the lack of key-resistance can help. But even if 
Z = H{K, R) for some random K and R, still the attacker does not 
know R and so lack of key-resistance cannot help, unless the attacker is 
allowed to search in a brute-force effort the whole F**, which is supposed 
to be hard in our context. 

If H' is pseudo-random, then T-L is clearly key-resistant. 
As regards the stream-cipher, we can consider a similar notion in a slightly 
more general situation, that is, when JC cW^K 

Definition 2.2. Let K, C F^^ Given a stream cipher 5* : F' F*", tt;e say 
that S is key-resistant if, given a pair (Z, L) such that Z — S{L -\- Ki) for a 
random (Xi, K2) G /C and a random L e F', then it is hard to find K^. 

When fC = F^' we obviously have the equivalence between 2- (a) and the 
key-resistance, since translations act regularly. 

Remark 2.3. We could change the definition of LION by having a different 
action induced by the keys, that is, S{tk{L)) instead of S{L + K), where 
{^xji^e/c C Sym(F'), Sym(F') being the symmetric group acting on F'. All 
subsequent results will still hold, provided the action is regular. 

2.1 Our improvements for BEAR 

It is possible to give an improvement of Theorem 1.2, passing from one-pair 
oracles to multi-pair oracles. 

Theorem 2.4. Let n > 1. Let An be an oracle able to find the key of BEAR 

given any set of n plaintext- ciphertext pairs { {{Li,Ri), {L[,R'j)) }i<j<„- Then 
An is able to solve efficiently any equation Z = Hki{R), knowing Z and R, 
for any random i? G F*" and any random Ki G F'^. 

Proof. Let us choose a set { Li }i<j<,„ C F' and consider the set of plaintexts 
{ {Li, R) }i<.j<„- It is possible to generate a set of ciphertexts { R'j) };^<j<„ 
by choosing any sub-key K2 and computing: Lj = Li + Z, R'^ = R-\- S{Li + Z), 
L\^Li + Z + HkM- With { {{Li, R), {L[, R'^)) }i<.<^ as input. An outputs 
K2, which was already known, and Ki, which was unknown. □ 

Again, when we say efficiently we disregard any effort put by the oracle 
itself (see Remark 1.4). 

Corollary 2.5. If the (keyed) hash function is key-resistant, no efficient multi- 
pair oracle exists for BEAR. 

Unfortunately we have not been able to obtain a direct improvement of 
Theorem 1.1, but it is quite simple to modify BEAR in order to obtain a 
similar result also for the stream cipher. Let us consider the following variation 
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of BEAR'S scheme, in which JCcW'xP x F*^, for some k, with Ki, K3 e F*^ 
and ^2 e F'. 

BEAR 2 



ENCRYPTION 


DECRYPTION 


L^L + HK,iR) 
R' ^R + S(L + K2) 

L' = L + Hk,{R') 


L^L' + HKsiR') 
R^R' + S(L + K2) 

L = L + Hk,{R) 



First we extend Th. 2.4 from BEAR to BEAR2. 

Theorem 2.6. Let n> 1. Let An be an oracle able to find the key of BEAR 2 

given any set of n plaintext- ciphertext pairs { {{Li,Ri), {L[,R[)) }i<j<„- Then 
An is able to solve any equation Z = Hk^{R), knowing Z and R, for any 
random R and any random Ki G F'^. 

Proof. Obvious adaption of the proof of Th. 2.4. We choose this time K2 
and i^3, we obtain Ki again. □ 

Now we are ready for the following result, linking the security of BEAR2 
also to the properties of the stream cipher in a multi-pair context. 

Theorem 2.7. Let n>l. Let An be an oracle able to find the key of BEAR2 
given any set of n plaintext-ciphertext pairs { {{Li,Ri), (L-,i?Q) }i<j<„- Then 
An is able to solve any equation Z = S{X + K2), knowing Z and X , for any 
random X G F' and any random K2 G F' . 

Proof. Let us choose a set { Ri }i<j<„ C F*" and two sub-keys Ki, K3. It is 
possible to generate plaintext /ciphertext pairs by choosing Lj = X + HxiiRi) 
and computing: Ti = L^ + HK,{Ri) = X, R'^ = R^ + Z, L[ ^ X + HKsiR'i). 
We give in input to An the set { (Lj, Ri), (L^, i?Q }i<j<„. An returns Ki, K3 
which were already known, and K2, which was unknown. □ 

We can summarize our findings on BEAR2 in the following corollary. 

Corollary 2.8. No efficient multi-pair key-recovery oracle exists for BEAR2 
if the hash function is key-resistant or the stream cipher is key-resistant. 

2.2 Our improvements for LION 

A result similar to Theorem 2.4 holds for LION. 

Theorem 2.9. Let n>l. Let An be an oracle able to find the key of LION 

given any set of n plaintext-ciphertext pairs { {{Li,Ri), {L[,R[)) }i<j<„- Then 
An is able to solve any equation Z = S(L -\- Ki), knowing Z and L, for any 
random L G F^ and any random Ki G F'^. 



L. Maines, M. Piva, A. Rimoldi, M. Sala 



9 



Proof. Let us choose a set { Ri }i<j<„ C and consider the set of plaintexts 
{ (L, Rj) }i<j<„. It is possible to generate a set of ciphertexts { {L'-, R[) }i<j<„ 
by choosing any sub-key K2 and computing: Ri = Ri + S{L + Ki) — Ri + Z, 
L[ = Li + H{R, + Z), R'.^ = R, + Z + S{L'^ + K2). Using A we can find K2, 
which was already known, and i^Ti, which was unknown. □ 

As we have already seen for BEAR, we have not been able to extend a result 
similar to Theorem 2.9 also for its hash functions, but it is quite simple to 
modify LION in order to obtain it, as in the following table, where Ki, e 
and K2 e F'', and so /C C F^ x F^ x F^ for some k. 



LION2 



ENCRYPTION 


DECRYPTION 


R^ R + S{L + K{) 

L' = L + Hk,(R) 
R' = R+S{L' + Ks) 


R^R' + S{L' + X3) 

L = L' + Hk,(R) 
R=R + S{L + Ki) 



Theorem 2.10. Let n> 1. Let An be an oracle able to find the key of LIONS 
given any set of n plaintext- ciphertext pairs { ((Lj, it!j), (L^, R'^)) }i<j<„- Then 
An is able to solve any equation Z = S{L + Ki), knowing Z and~L, for any 
random L e F' and any random Ki . 



Proof. Obvious adaption of the proof of Th. 2.9. □ 



Theorem 2.11. Let n>l. Let An he an oracle able to find the key of LION 2 

given any set of n plaintext- ciphertext pairs { {{Li, Ri), R'-)) }i<j<„- Then 
An is able to solve any equation Z = Hk^{X), knowing Z and X, for any 
random X e F^ and any random K2 G F'^. 



Proof. Let us choose a set { Li }i<j<„ C F' and any sub-keys Ki, K3 G F'. It 
is possible to generate plaintext/ciphertext pairs by choosing Ri = X -\- S{Li-\- 
Ki) and computing: Ri = Ri + S{Li + Ki) = X + S{Li + Ki) + S{Li + Ki) = 
X, L'i = Li + Z, R'i = X + S{L'i + K3) . We give in input to An the set 
{ {Li, Ri) , {L'i, R'i) } , An returns Ki, K3, which were already known, and K2, 
which was unknown. □ 

We can summarize our findings on LION and LI0N2 in the following 
corollary. 

Corollary 2.12. No efficient multi-pair key-recovery oracle exists for LION 
if the stream cipher is key-resistant. 

No efficient multi-pair key-recovery oracle exists for LI0N2 if the hash 
function is key-resistant or the stream cipher is key-resistant. 
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2.3 Our improvements for LIONESS 

Since LIONESS combines the construction of LION and BEAR, it is quite 
obvious that any provable-security result holding for BEAR and LION still 
holds for LIONESS. For completeness, we give the formal proofs for our multi- 
pair results. 

Theorem 2.13. Let n > 1. Let An he an oracle able to find the key of LL 
ONESS given any set ofn plaintext- ciphertext pairs { {{Li, Ri), {L[, R'-j) }i<j<„. 
Then An is able to solve any equation Z = S{L + Ki), knowing Z and L, for 
any random L e F' and any random Ki e F'. 

Proof. Let us choose a set { Ri }i<j<„ C F*^' and consider the set of plaintexts 
{iL,Ri)} i<i<n- possible to generate a set of ciphertexts { (L^, R'^) }]^<j<„ 
by choosing any sub-keys ^2,7^^3,^4 and computing: Ri = Ri + Z, Li ~ 
L + HK^(Ri), R'i^Ri + S{Li + K3) and L' = + HkSR[). Using An we can 
find K2, K3, K4, which were already known, and Ki, which was unknown. □ 

Theorem 2.14. Let n > 1. Let An be an oracle able to find the key of LL 
ONESS given any set ofn plaintext- ciphertext pairs { ((Lj, (L^, R'^) }i<j<„. 
Then An is able to solve any equation Z = HK^iR'), knowing Z and R' , for 
any random R! e F'' and any random K . 

Proof. Let us choose a set { Li }i<j<„ C F' and consider the set of cipher- 
texts { {L'i, R') }i<j<„. It is possible to generate a set of plaintexts { (Lj, Ri) 
by choosing any sub- keys Ki,K2,K3 and decrypting: L^ = L'i + Z, Ri — 
R' S{Ti-^ Li = Ti + HK^iRd^ Ri = S{Li + Ki). Using An we can 
find i^i, i^2, K^-i which were already known, and ^^4, which was unknown. □ 

3 Conclusions and further comments 

Let us consider a keyed hash function with a very weak requirement, i.e., 
that it is surjcctive both fixing the key and with respect to the keys (see 
Remark 1.3). Anderson and Biham prove that no single-pair oracle exists for 
BEAR, under the assumption that "the stream seed is difficult to recover 
OR the hash function is collision resistant OR the hash preimage is hard 
to recover". We prove that no multi-pair oracle exists for BEAR under the 
assumption that "hash is key-resistant". We also suggest a slight modification 
of BEAR, BEAR 2, where we can prove that no multi-pair oracle exists under 
the assumption that "hash is key-resistant OR stream is key-resistant" . 

The conclusions about key-recovery attacks for LION are quite similar to 
those for BEAR. Anderson and Biham claim without proof that no single- 
pair oracle exists for LION under the assumption that "the stream seed is 
difficult to recover OR the hash function is collision resistant OR the hash 
preimage is hard to recover" . However, we have found no direct proof following 
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their outline. We prove that no single-pair oracle exists for LION under the 
assumptions that the stream seed is difficult to recover. To prove the same 
thing with assumptions on the hash function, wc need a condition that we 
call good pairing. Interestingly, this condition follows from the pseudo-random 
nature of S OR the pseudo-random nature of H. Given the good pairing for 
granted, we finish to prove their claim, that is, no single-pair oracle exists for 
LION under the assumption that "the hash function is coUision resistant OR 
the hash preimage is hard to recover" . As in the case of BEAR, we prove that 
no multi-pair oracle exists for LION under the assumption that "the stream 
cipher is key-resistant", which is equivalent to "the stream preimage is hard 
to recover" in many pratical situations. We also suggest a slight modification 
of LION, LION 2, where we can prove that no multi-pair oracles exist under 
the assumption that "the hash function is key-resistant OR the stream cipher 
is key-resistant" . 

As regards key-recovery attacks, LIONESS's virtues are the sum of LION's 
and BEAR's virtues. So it is possible to prove the non-existence of one-pair 
oracles using the authors' assumptions, but we can indeed prove the non- 
existence of multi-pair oracles under only the key-resistance assumption. 

Wc note that an attack by Morin ([Mor96]) has somehow diminuished the 
confidence in the robustness of these schemes. However, the attack succeeds 
only because its brute force search on the round function contradicts the key- 
resistance of the hash function and of the stream function. So, whenever T-L or 
S remain key-resistant, both LION and BEAR are immune to such attacks. 
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